• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Cyber warfare
  • Hacking
  • Intelligence
  • Terracotta VPN, the Chinese VPN Service as Hacking Platform

Terracotta VPN, the Chinese VPN Service as Hacking Platform

Pierluigi Paganini August 05, 2015

A Chinese-language Virtual Private Network service provider dubbed Terracotta VPN offers a network of compromised servers as a stealth hacking platform.

According RSA Security, a China-based virtual private network (VPN) service provider offers hacking crews a network of compromised servers which can be used to carry out stealth cyber attacks.

The attacks appear to be coming from legitimate IP addresses from organizations having a good reputation, making it difficult for the victim to identify the real source of the offensive.

The VPN service identified by RSA and dubbed by the company Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world.” Terracotta VPN is a commercial VPN service provider with over 1,500 nodes around the world, the majority of its servers are actually composed of compromised Windows systems belonging to SMBs.

“Terracotta’s network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim’s knowledge or permission.  New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.” RSA wrote in a report. ” “RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).””

Operators behind Terracotta VPN target Windows server running brute-force attack to crack an administrator’s password. Once discovered the admin credentials they disable the Windows firewall and any other security software, and then installs a remote access Trojan. The last step consists in the creation of a new administrative account on the server and the installation of a Windows VPN service.

RSA experts discovered that the majority of the servers owned by Terracotta consists of compromised machines located in China, Japan, South Korea, the United States, and some countries in Eastern Europe.

terracotta vpn

The list of victims is long, it also includes a Fortune 500 hotel chain, a hi-tech manufacturer, a doctor’s office, school and university systems, a law firm, and a county government for an unidentified U.S. state.

Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor’s office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA states in the report.

The name Terracotta VPN assigned to the malicious infrastructure is a clear reference to the Chinese Terracotta Army, hacker crews thought to be using Terracotta to run attacks remaining anonymous. The experts speculate that popular APT groups used it, including the “Shell_Crew” and “Deep Panda.”

RSA suspects state-sponsored hackers have leveraged at least 52 Terracotta VPN nodes to hit targets among private firms and government organizations. A report provided by a large defense contractor to RSA confirms that 27 different Terracotta VPN node Internet addresses were used in phishing campaigns targeting users in their organization.

“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%) were associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated. “Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”

RSA grouped victims in “three classes”,  the first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service, the second class includes more than 300 companies whose servers have been compromised, and the third group is composed of the organizations victims of the attacks through the Terracotta VPN.

Criminal organizations offering for rent network of compromised servers is not a novelty, what’s new is the commercial offer the Terracotta VPN, which is marketed under several different brands and websites but is run by a single commercial enterprise.

Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” states the report.

RSA reported its findings to the U.S.-based victims whose servers were part of the Terracotta VPN and it is also publishing the list of the malicious IP addresses and domain it has identified as part of Terracotta VPN infrastructure.

As explained by the popular security investigator Brian Krebs, RSA included a single screen shot of software used by one of the commercial VPN services carefully omitting any information that would allow to find the websites offering the Terracotta VPN.

One of the domains was identified in the report is 8800free[dot]info, good starting point for Krebs’investigation. Krebs is a master and I decided to propose an excerpt from the analysis to show you how to proceed in cases like this.

“A lookup at Domaintools.com for the historic registration records on 8800free[dot]info show it was originally registered in 2010 to someone using the email address “xnt50@163.com.” Among the nine other domains registered to xnt50@163.com is517jiasu[dot]cn, an archived version of which is available here.

Domaintools shows that in 2013 the registration record for 8800free[dot]info was changed to include the email address “jzbb@foxmail.com.” Helpfully, that email was used to register at least 39 other sites, including quite a few that are or were at one time advertising similar-looking VPN services.

Pivoting off the historic registration records for many of those sites turns up a long list of VPN sites registered to other interesting email addresses, including “adsyb@163.com,” “asdfyb@hotmail.com” and “itjsq@qq.com” (click the email addresses for a list of domains registered to each). Armed with lists of dozens of VPN sites, it wasn’t hard to find several sites offering different VPN clients for download. I installed each on a carefully isolated virtual machine (don’t try this at home, kids!).

None of the VPN clients I tried would list the Internet addresses of the individual nodes. However, each node in the network can be discovered simply by running some type of network traffic monitoring tool in the background (I used Wireshark), and logging the address that is pinged when one clicks on a new connection.” explained Krebs.

Pierluigi Paganini

(Security Affairs – Hacking, Terracotta VPN)


facebook linkedin twitter

China Deep Panda Hacking RSA state sponsored hackers Terracotta VPN Windows servers

you might also like

Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 28, 2025
Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT